Not an issue, but a uggestion: to make brute force attacks useless ...

[MartinL0815]

Hi,

just a thought about making brute force attacks useless:

1. don't tell the password is not matching
2. open the database
3. provide random values as user names and passwords
4. if the app locks, but provide the same "random" values after unlocking

WOuldn't this work?

Best regards,

Martin

[rich123]

Someone attempting to "brute force" your PasswordGorilla by manually typing passwords into PWGorilla would still know they had not found the correct password, because a fully random set of usernames would not be typical.

But if someone is able to type into your locked gorilla, it means they are using your system, and can just as easily copy your password safe file to a USB key and then depart, to perform an automated brute force attack later on their own system.

Providing random user names/passwords in the GUI is useless when someone is using a computer to try thousands/millions of possible passwords per second against your pwsafe data file directly. What saves you there is: 1) having a strong master password, and; 2) having a reasonable iterations count on the pwsafe file such that the automated attempts are slowed to only a few attempts per second from thousands or millions per second.

But in the end, there is no actual defense against a true brute force attempt (trying all possible passwords). It is guaranteed to succeed. What makes it ineffectual is that the guarantee of success occurs in fifteen million years (or more), which for most humans is much too long to wait.

[zdia]

@MartinLemburg :

And why would you like to cancel the key stretching mechanism? On modern machines 2048 rounds (default) take less than 1 second.